apparmor, libvirt-qemu: add default pki path of libvirt-spice

Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf If people use non-default paths they should use local overrides but the suggested defaults we should open up. This is the default path as referenced by src/qemu/qemu.conf in libvirt. While doing so merge the several places we have to cover PKI access into one. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2024-07-11 12:25:52 +00:00 · 2017-12-20 12:41:55 +01:00 · 2017-12-20 12:41:55 +01:00 · e24d01cb33
commit e24d01cb33
parent aa889e412d
1 changed files with 5 additions and 8 deletions
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@ -88,8 +88,11 @@
  /usr/share/qemu-efi/** r,
  /usr/share/slof/** r,

-  # access PKI infrastructure
-  /etc/pki/libvirt-vnc/** r,
+  # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+  /etc/pki/CA/ r,
+  /etc/pki/CA/* r,
+  /etc/pki/libvirt{,-spice,-vnc}/ r,
+  /etc/pki/libvirt{,-spice,-vnc}/** r,

  # the various binaries
  /usr/bin/kvm rmix,
@ -156,12 +159,6 @@
  /usr/{lib,lib64}/qemu/*.so mr,
  /usr/lib/@{multiarch}/qemu/*.so mr,

-  # for use by libvirt-vnc (LP: #901272)
-  /etc/pki/CA/ r,
-  /etc/pki/CA/* r,
-  /etc/pki/libvirt/ r,
-  /etc/pki/libvirt/** r,
-
  # for save and resume
  /{usr/,}bin/dash rmix,
  /{usr/,}bin/dd rmix,